Setting Up Ansible with Ansible

Background

I am responsible for a few dozen linux servers at work, and although there was an effort to install Salt a few years ago, they are all managed individually and manually. I spend more time than I should ssh’ing into boxes to add users. install applications, or restart services. I looked into Puppet a few months ago, but it seemed to complicated and clunky for my environment. Specialty, I really didn’t want to install and troubleshoot the client on dozens of serveres. A few people had recommended Ansible to me, and it looked like a gerat option.
After waiting two months for the second edition to come out, I picked up a copy of Ansible Up & Running by Lorin Hochstien and Rene Moser. Realizing that I wouldn’t have time to read through the text at work, it became my nighttime reading. After only one chapter, I felt confident that it was the right choice for my current environment (~40 CentOS and RHEL virtual and physical machines.) It was easy to install on my mac using Homebrew and just as easy to start using. Best of all, I didn’t have to ssh into every machine on the network to install a client, but I did need to create Ansible users on the machines.

That meant, for 40+ servers, I needed to:
- create an ansible user
- add the user to wheel
- enable passwordless sudo for that user
- add a public key to the user’s authorize_keys file

That would have taken me at least a few hours and I would have probably misconfigured at least one of the servers. That was before Ansible. From what I had learned in the first chapter, I was able to use my current user account (in wheel) to run the needed configuration without manually logging into each machine.

Here’s how I did it:

Configuration:

In the configuration file (ansible.cfg), I set the remote user to myself, and instead of using a private key for authentication, I set the ask_pass flag to true. With this flag set, Ansible will prompt me for my password once when I run the playbook. I have also disabled host key checking (host_key_checking = False) to speed things up.

Playbook:

Since we don’t use passwordless sudo for anything other than Ansible, that line in the sudoers file was commented out. I used that comment in the regular expression (see last section below) to select the correct line in sudoers (if you don’t use that comment in your RE, it will select the wrong line, enabling passwordless ssh for all users in wheel). Instead of setting it to %wheel ALL=(ALL) NOPASSWD: ALL, I specified the ansible user. As much as I dread typing in my password twice, it is worth it to prevent accidental sudo’s.

Running the playbook:

When I run the playbook, I use the --ask-become-pass (-K) option to prompt the user for the sudo password. You should be prompted twice (once for the user password and once for the sudo password). In most cases these will be the same, but you still need to enter it twice.

If you see a bunch of ok’s, then you are done. You can log onto one of the servers to check that the ansible user has been created, is in wheel, and can sudo without a password.

To start using the new ansible user account, you will need to edit the third and fourth line in your configuration file, ansible.cfg. On the fourth line, use the private key that corresponds to the public key that you used in your playbook (here, id-rsa):